Do Not Use Group, Shared, or Generic Authentication Methods
PCI Requirement 8.5 cautions, “Do not use group, shared, or generic IDs, passwords, or other authentication methods.” It also outlines the following requirements:
- Generic user IDs are disabled or removed.
- Shared user IDs do not exist for system administration and other critical functions.
- Shared and generic user IDs are not used to administer any system components.
Group, shared, or generic authentication methods cause a loss of accountability for the actions that have taken place within your systems and make it impossible to determine who has taken which actions. You should not use group, shared, or generic authentication methods for administrative purposes or any accounts that have access to sensitive cardholder data.
To verify compliance with PCI Requirement 8.5, a sample of user IDs should be examined to ensure your organization’s configurations are set up so that you do not use group, shared, or generic IDs, passwords, or other authentication methods. Policies and procedures will also be examined, along with staff interviews.
We started out in PCI Requirement 8.1, which says everyone needs their own unique username and password. Now we come down to PCI Requirement 8.5 that is kind of married to that. It says that we shouldn’t be using any group, shared, or generic IDs. You should not use these for administrative purposes or any accounts or service that has access to sensitive cardholder data.
One area where organizations get into trouble is with the use of root. There’s ways you can address this so that we can recreate the accountability that’s lost when more than one individual uses an account. If you have a Linux or Unix mainframe environment, when there is a root account being used, what I would recommend is using sudo to address the accountability aspect of these accounts.
From an assessment perspective, we’ll be interviewing administrative staff and talking about how to manage generic passwords. What do you do when your manager comes to you and says, “Create an account for this group of people.” We’ll also be looking at your authentication store to try and identify if you have generic accounts.
Understand that system accounts are not necessarily the same thing as a generic account. A system account is never used by an individual. These accounts are typically used for applications to run or for systems to operate and perform certain tasks. You should never have your staff logging onto these system accounts.
Understand that in the assessment process, we’re going to be asking for a list of all your authentication directories, we’re going to look at all places where you’re authenticating, all of your applications, and look to make sure you’re not sharing or using generic user accounts.